The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
The development and deployment of internet of things (IoT) devices has proceeded with remarkable speed in the past several years. IoT devices are diverse, including everything from controllers of industrial equipment to smart watches and personal activity monitors. However, security infrastructure has not kept pace with the huge number and wide use of these devices. Some analysts estimate that billions of such devices will be operating and connected to internetworks within a few years, but there is presently no effective security architecture that can efficiently permit IoT devices to be secured effectively, yet readily usable. Key constraints in this technical field have included limited processing power, limited memory, and limited or absent user interface elements. All these characteristics of IoT devices make them difficult to integrate into existing client-server security systems. At the same time, misuse of IoT devices could be catastrophic by permitting an attacker or unauthorized user to gain control of industrial equipment or other systems that have embedded IoT devices.
In existing systems, device applications remotely accessing IoT devices use an industrial protocol over serial or Ethernet without strong, or any type of, authentication. In some security approaches, a device application may include a locking mechanism to prevent an IoT device from being accessed by other users. This traditional approach is susceptible to vulnerabilities as IoT devices can be locked by anyone, including “bad” actors, on the network. For example, malware, instead of the appropriate application, may lock the IoT device. Once the IoT device is locked, the IoT device cannot be controlled by others unless it becomes unlocked. Furthermore, in existing systems, communications between IoT devices are not secured as these communications are transmitted in plain text, leaving them vulnerable to unauthorized eavesdropping. Anyone, including bad actors, listening on the network would be able to access the communications.
Thus, there is a need for an access control authority that securely enables network access based on authenticated sessions with devices and encrypted communications between devices.